Skip to content

Comments

Policy: Support NPDS rules with pass verdicts#1754

Open
jrajahalme wants to merge 9 commits intomainfrom
policy-pass-verdict-support-2
Open

Policy: Support NPDS rules with pass verdicts#1754
jrajahalme wants to merge 9 commits intomainfrom
policy-pass-verdict-support-2

Conversation

@jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Feb 16, 2026

Add support for NPDS pass verdicts by promoting the precedence of passed-to rules to follow that of the pass verdict rule. NPDS add a new pass_precedence field that specifies the precedence up-to which rules are ignored if the pass rule matches. pass_precedence is mutually exclusive with the deny field. Pass verdict rules can not have any L7 (e.g., HTTP) rules, as the match is solely done on the port range and the remote security identities (L3/4).

Fix precedence handling between wildcard and specific match port rules by distributing wildcard port rules to the rulesets of specific port ranges. This is cheap since the rules are referred to via shared pointers and allows to keep the logic as simple as possible.

Refactor with C++20 ranges for readability.

@jrajahalme jrajahalme requested a review from a team as a code owner February 16, 2026 19:29
@jrajahalme jrajahalme marked this pull request as draft February 16, 2026 19:29
@jrajahalme jrajahalme removed the request for review from mhofstetter February 16, 2026 19:29
Ran make tidy-fix locally, hopefully CI agrees.

Added new make target tidy-fix-head that checks and fixes only the files
modified in the HEAD commit.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Proxy ID is really a port number, so we can safely limit it to 16 bits.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Pass verdict handling needs to make copies of
PortNetworkPolicyRules. Change the unique pointers to a shared pointers
to allow for this.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Parse the new pass_precedence field.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Improve readability with the new isRemoteWildcard helper.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Pre-process policy rules with pass verdicts on on policy updates. This
involves promoting the precedence of lower tier rules based on the pass
verdicts on higher tiers. Depending on the remote identities being
matched, the lower tier rule may need to be split up to different sets of
remote identities, or if remotes match exactly then the whole rule can be
promoted to the higher tier.

Splitting up, as reqiuired, increases the number of rules. We counter
this by keeping track of "shadowed" identities of higher tier rules, both
within a tier and between tiers, and eliminate rules that can not be
matched when they become completely shadowed.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the policy-pass-verdict-support-2 branch 2 times, most recently from b501309 to 69d3e50 Compare February 18, 2026 20:56
@jrajahalme jrajahalme force-pushed the policy-pass-verdict-support-2 branch from 69d3e50 to 032880a Compare February 24, 2026 09:38
@jrajahalme jrajahalme marked this pull request as ready for review February 24, 2026 09:38
We only looked for wildcard port match if a specific port did not find
any matches. Fix this by distributing wildcard port rules to all explicit
port (range) rules so that they are checked in the right precedence
order. This is cheap as they are referred to by a shared pointer, so no
copies of the actual PortNetworkPolicyRule's are made.

Refactor policy lookups to return a RuleVerdict type.

Fix empty rules with other rules semantics:

A port rule with an empty rules list is an implicit allow of the lowest
precedence. Retain this semantic if a pass rule is added either on the
same port, or to the wildcard port. Without this fix the pass rule
processing does not find the (missing) default-allow-rule and the
precedence of the default allow remains at 0, while it should have been
promoted due to the pass rule.

test TLS with deny

Harden TLS test with deny policies. Make sure raw sockets are not allowed
if there is overriding deny policy.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the policy-pass-verdict-support-2 branch from 032880a to 29148bb Compare February 24, 2026 09:53
@jrajahalme jrajahalme changed the title Policy pass verdict support 2 Policy: Add pass verdict support Feb 24, 2026
@jrajahalme jrajahalme changed the title Policy: Add pass verdict support Policy: Support NPDS rules with pass verdicts Feb 24, 2026
No functional changes, but easier to read.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant